b"                                                           1701 Duke Street, Suite 500, Alexandria, VA 22314\n                                                           PH: 703.931.5600, FX: 703.931.3655, www.kearneyco.com\n\n\n                            INDEPENDENT AUDITOR\xe2\x80\x99S REPORT\n                                    AUD-FM-14-12\n\nTo the United States Commissioner and the Inspector General of the International Boundary and\nWater Commission, United States and Mexico, U.S. Section\n\nReport on the Financial Statements\n\nWe have audited the accompanying consolidated financial statements of the International\nBoundary and Water Commission, United States and Mexico, U.S. Section (USIBWC), which\ncomprise the consolidated balance sheets as of September 30, 2013 and 2012, the related\nconsolidated statements of net cost and changes in net position and the combined statements of\nbudgetary resources for the years then ended, and the related notes to the consolidated financial\nstatements (hereinafter referred to as the \xe2\x80\x9cconsolidated financial statements\xe2\x80\x9d).\n\nManagement\xe2\x80\x99s Responsibility for the Financial Statements\n\nManagement is responsible for the preparation and fair presentation of these consolidated\nfinancial statements in accordance with accounting principles generally accepted in the United\nStates of America; this includes the design, implementation, and maintenance of internal control\nrelevant to the preparation and fair presentation of financial statements that are free from\nmaterial misstatement, whether due to fraud or error.\n\nAuditor\xe2\x80\x99s Responsibility\n\nOur responsibility is to express an opinion on these consolidated financial statements based on\nour audits. We conducted our audits in accordance with auditing standards generally accepted in\nthe United States of America; the standards applicable to financial audits contained in\nGovernment Auditing Standards, issued by the Comptroller General of the United States; and\nOffice of Management and Budget (OMB) Bulletin No. 14-02, Audit Requirements for Federal\nFinancial Statements. Those standards and OMB Bulletin No. 14-02 require that we plan and\nperform the audit to obtain reasonable assurance about whether the consolidated financial\nstatements are free from material misstatement.\n\nAn audit involves performing procedures to obtain audit evidence about the amounts and\ndisclosures in the financial statements. The procedures selected depend on the auditor\xe2\x80\x99s\njudgment, including the assessment of the risks of material misstatement of the financial\nstatements, whether due to fraud or error. In making those risk assessments, the auditor\nconsiders internal control relevant to the entity\xe2\x80\x99s preparation and fair presentation of the financial\nstatements in order to design audit procedures that are appropriate under the circumstances but\nnot for the purpose of expressing an opinion on the effectiveness of the entity\xe2\x80\x99s internal control.\nAccordingly, we express no such opinion. An audit also includes evaluating the appropriateness\nof accounting policies used and the reasonableness of significant accounting estimates made by\nmanagement, as well as evaluating the overall presentation of the financial statements.\n\n\n\n                                                  1\n\x0cWe believe that the audit evidence we have obtained is sufficient and appropriate to provide a\nbasis for our audit opinion.\n\nOpinion on the Consolidated Financial Statements\n\nIn our opinion, the consolidated financial statements referred to above present fairly, in all\nmaterial respects, the financial position of USIBWC as of September 30, 2013 and 2012, and its\nnet cost of operations, changes in net position, and budgetary resources for the years then ended,\nin accordance with accounting principles generally accepted in the United States of America.\n\nEmphasis of Matter\n\nAs discussed in Note 1 and Note 6 to the financial statements, in FY 2013, USIBWC adopted\nnew accounting guidance issued by the Federal Accounting Standards Advisory Board\n(FASAB)\xe2\x80\x94specifically, Technical Bulletin 2006-1, Recognition and Measurement of Asbestos-\nRelated Cleanup Costs. Our opinion is not modified with respect to this matter.\n\nOther Matter\n\nRequired Supplementary Information\n\nAccounting principles generally accepted in the United States of America require that the\nManagement\xe2\x80\x99s Discussion and Analysis, condition assessments of Heritage Assets and\nStewardship Land, Combining Schedule of Budgetary Resources, and Deferred Maintenance\n(hereinafter referred to as \xe2\x80\x9crequired supplementary information\xe2\x80\x9d) be presented to supplement the\nconsolidated financial statements. Such information, although not a part of the consolidated\nfinancial statements, is required by OMB Circular A-136, Financial Reporting Requirements,\nand FASAB, which consider it to be an essential part of financial reporting for placing the\nconsolidated financial statements in an appropriate operational, economic, or historical context.\nWe have applied certain limited procedures to the required supplementary information in\naccordance with auditing standards generally accepted in the United States of America, which\nconsisted of inquiries of management about the methods of preparing the information and\ncomparing it for consistency with management\xe2\x80\x99s responses to our inquiries, the consolidated\nfinancial statements, and other knowledge we obtained during our audits of the consolidated\nfinancial statements. We do not express an opinion or provide any assurance on the information\nbecause the limited procedures do not provide us with sufficient evidence to express an opinion\nor provide any assurance.\n\nOther Reporting Required by Government Auditing Standards\n\nIn accordance with Government Auditing Standards and OMB Bulletin No. 14-02, we have also\nissued reports, dated December 20, 2013, on our consideration of USIBWC\xe2\x80\x99s internal control\nover financial reporting and on our tests of USIBWC\xe2\x80\x99s compliance with certain provisions of\nlaws, regulations, and contracts for the year ended September 30, 2013. The purpose of those\n\n\n                                                2\n\x0creports is to describe the scope of our testing of internal control over financial reporting and\ncompliance and the results of that testing and not to provide an opinion on internal control over\nfinancial reporting or on compliance. Those reports are an integral part of an audit performed in\naccordance with auditing standards generally accepted in the United States of America,\nGovernment Auditing Standards, and OMB Bulletin No. 14-02, in considering USIBWC\xe2\x80\x99s\ninternal control over financial reporting and compliance.\n\n\n\n\nAlexandria, Virginia\nDecember 20, 2013\n\n\n\n\n                                                3\n\x0c                                                           1701 Duke Street, Suite 500, Alexandria, VA 22314\n                                                           PH: 703.931.5600, FX: 703.931.3655, www.kearneyco.com\n\n\n\n\n       INDEPENDENT AUDITOR\xe2\x80\x99S REPORT ON INTERNAL CONTROL OVER\n                        FINANCIAL REPORTING\n\nTo the United States Commissioner and the Inspector General of the International Boundary and\nWater Commission, United States and Mexico, U.S. Section\n\nWe have audited the consolidated financial statements of the International Boundary and Water\nCommission, United States and Mexico, U.S. Section (USIBWC) as of and for the year ended\nSeptember 30, 2013, and have issued our report thereon dated December 20, 2013. We\nconducted our audit in accordance with auditing standards generally accepted in the United\nStates of America; the standards applicable to financial audits contained in Government Auditing\nStandards, issued by the Comptroller General of the United States; and Office of Management\nand Budget (OMB) Bulletin No. 14-02, Audit Requirements for Federal Financial Statements.\n\nInternal Control Over Financial Reporting\n\nIn planning and performing our audit of the consolidated financial statements, we considered\nUSIBWC\xe2\x80\x99s internal control over financial reporting (internal control) as a basis for designing\naudit procedures that are appropriate under the circumstances for the purpose of expressing our\nopinion on the consolidated financial statements but not for the purpose of expressing an opinion\non the effectiveness of USIBWC\xe2\x80\x99s internal control. Accordingly, we do not express an opinion\non the effectiveness of USIBWC\xe2\x80\x99s internal control. We limited our internal control testing to\nthose controls necessary to achieve the objectives described in OMB Bulletin No. 14-02. We did\nnot test all internal controls relevant to operating objectives as broadly defined by the Federal\nManagers\xe2\x80\x99 Financial Integrity Act of 1982, such as those controls relevant to ensuring efficient\noperations.\n\nA deficiency in internal control exists when the design or operation of a control does not allow\nmanagement or employees, in the normal course of performing their assigned functions, to\nprevent, or detect and correct, misstatements on a timely basis. A material weakness is a\ndeficiency, or combination of deficiencies, in internal control such that there is a reasonable\npossibility that a material misstatement of the entity\xe2\x80\x99s financial statements will not be prevented,\nor detected and corrected on a timely basis.\n\nOur consideration of internal control was for the limited purpose described in the preceding\nparagraphs and was not designed to identify all deficiencies in internal control that might be\nmaterial weaknesses. Given these limitations, during our audit, we did not identify any\ndeficiencies in internal control that we consider to be material weaknesses. However, material\nweaknesses may exist that have not been identified.\n\nOur audit was also not designed to identify deficiencies in internal control that might be\nsignificant. A significant deficiency is a deficiency, or combination of deficiencies, in internal\n\n\n\n\n                                                 1\n\x0ccontrol that is less severe than a material weakness yet important enough to merit attention by\nthose charged with governance. We consider the following deficiencies in USIBWC\xe2\x80\x99s internal\ncontrol to be significant deficiencies.\n\n                                      Significant Deficiencies\n\nI.       Property and Equipment\n\nUSIBWC owns a significant amount of diverse property and equipment. As of September 30,\n2013, USIBWC reported $857 million in property and equipment, which included real and\npersonal property. Since USIBWC owns and maintains assets at multiple locations along the\nborder between the United States and Mexico, it is essential for USIBWC to have controls in\nplace to monitor and maintain these assets. We identified control deficiencies with USIBWC\xe2\x80\x99s\nproperty and equipment processes that, when aggregated, constituted a significant deficiency in\ninternal control. Property and equipment was also reported as a significant deficiency in our\naudit of USIBWC\xe2\x80\x99s FY 2012 financial statements. The individual deficiencies we identified are\nsummarized as follows:\n\n     \xe2\x80\xa2   Recording Construction-in-Progress Transactions \xe2\x80\x93 Construction costs should be\n         recorded as construction-in-progress (CIP) until the asset being constructed is placed in\n         service, at which time the balance should be transferred to a general property and\n         equipment account. We found that 9 of 26 operating expenses tested were construction\n         costs that should have been classified as CIP. After we identified these errors, USIBWC\n         performed an analysis of operating expense activity and identified a number of additional\n         instances in which CIP was improperly classified as operating expenses. Additionally,\n         we identified a CIP project with a negative balance, which required a manual adjusting\n         entry. As a result of audit work and USIBWC management\xe2\x80\x99s analysis, more than $15.9\n         million in operating expenses were reclassified as CIP during FY 2013. Because\n         USIBWC does not always process payments to construction vendors using system codes\n         that will automatically record payments as CIP, USIBWC had implemented a process to\n         manually review transactions recorded to CIP and operating expenses each quarter to\n         identify and correct items that were not recorded correctly. However, because of the\n         manual nature and timing of this review, not all transactions that were improperly\n         recorded had been identified by the time of our audit. Due to the size of several active\n         USIBWC CIP projects, significant amounts may be misclassified and not detected.\n\n     \xe2\x80\xa2   Depreciation Expense Errors \xe2\x80\x93 Depreciation expense should be calculated through the\n         systematic and rational allocation of the cost of property and equipment, less its estimated\n         salvage or residual value, over the estimated useful life of an asset. During our review of\n         depreciation expense, we identified unusual account activity, which USIBWC officials\n         confirmed was erroneous. During FY 2013, USIBWC transferred property account\n         balances between two appropriations. When the transfer was processed, the Global\n         Financial Management System (GFMS) treated the assets as newly acquired, and\n         depreciation expense was recorded back to the date that the assets were placed into\n         service. However, the system had already recorded depreciation expense for the assets,\n         which was not reversed when the assets were transferred. The error resulted in a $7.3\n\n\n                                                  2\n\x0c           million overstatement of expenses. Because USIBWC does not routinely transfer assets\n           between appropriations, USIBWC officials were unaware of how GFMS would process\n           the adjustment. Although USIBWC had a control in place to review and analyze account\n           balances at the financial statement level, the control was not designed to identify and\n           resolve errors in individual accounts, such as depreciation expenses. Without effective\n           routine account-level reviews, errors, anomalies, or unexpected account fluctuations may\n           go unidentified.\n\nII.        Information Technology\n\nUSIBWC uses key information systems maintained by the U.S. Department of State\n(Department), including the general support systems and applications for accounting, budget\nexecution, procurement, and logistics. The Department is responsible for maintaining an\nadequate general and application control environment over these systems. We evaluated the\nDepartment\xe2\x80\x99s internal control structure surrounding the general support system and key financial\napplications that are used by USIBWC. In general, our audit and an audit performed by the\nOffice of Inspector General (OIG) found that the Department had not implemented effective\nstandards, policies, processes, and procedures over its information security program and its\nfinancial applications.\n\nWe noted weaknesses and vulnerabilities in the general support system and several key\napplications maintained by the Department. These deficiencies are inherited by USIBWC and\npresent a risk to financial and other data, which, in aggregate, we consider to be a significant\ndeficiency in internal control. While we noted that USIBWC had developed some processes and\ncontrols to compensate for the deficiencies identified in the Department\xe2\x80\x99s systems, not all risks\nand deficiencies related to the systems shared with the Department were fully mitigated by those\ncompensating controls. Information technology was also reported as a significant deficiency in\nour audit of USIBWC\xe2\x80\x99s FY 2012 financial statements. The following weaknesses, identified\nduring Department audits, impact USIBWC:\n\n       \xe2\x80\xa2   Information Security Program \xe2\x80\x93 The Department\xe2\x80\x99s OIG performed an audit of the\n           Department\xe2\x80\x99s information security program for FY 2013 in accordance with the Federal\n           Information Security Management Act of 2002 (FISMA). 1 OIG identified numerous\n           weaknesses in the Department\xe2\x80\x99s information security program, which, in aggregate, was\n           reported as a FISMA significant deficiency. OIG reported weaknesses in the areas of [Re\n           [Redacted] (b) (5)                       plans of action and milestones, and the    dac\n                                                                                               ted]\n           continuous monitoring program. [Redacted] (b) (5)                                   (b)\n      [Redacted] (b) (5)\n                                                                                               (5)\n\n\n\n\n1\n    Audit of the Department of State Information Security Program (AUD-IT-14-03, Nov. 2013).\n\n\n                                                         3\n\x0c    \xe2\x80\xa2   Audit Logs for Financial Applications \xe2\x80\x93 During the audit of the Department\xe2\x80\x99s FY 2012\n        financial statements, we performed risk-based testing procedures of the Department\xe2\x80\x99s\n        financial applications. We identified deficiencies for GFMS, which is used by USIBWC\n        as its core accounting system. Specifically, the Department did not regularly review\n        audit logs for suspicious behavior or malfunctions. For example, the Department did not\n        have an effective process to log and independently monitor changes to the permissions\n        granted to user accounts. In FY 2013, the Department took steps to remediate this\n        condition. However, the Department had not completed several steps to effectively\n        implement application monitoring controls. By not reviewing the audit logs on a regular\n        basis, the Department did not have reasonable assurance that inappropriate access or\n        changes to user accounts would be identified in a timely manner.\n\nDuring the audit, we noted certain additional matters involving internal control over financial\nreporting that we will report to USIBWC\xe2\x80\x99s management in a separate letter.\n\n                      Summary of Significant Internal Control Deficiencies\n\nIn the Report on Internal Control included in the audit report on USIBWC\xe2\x80\x99s FY 2012 financial\nstatements, 2 we noted several issues that were related to internal control over financial reporting.\nThe status of each issue is summarized in Table 1.\n\n                 Table 1. Summary of Significant Internal Control Deficiencies\n           Control Deficiency                        FY 2012 Status                  FY 2013 Status\n\nProperty and Equipment                            Significant Deficiency          Significant Deficiency\n\nBudgetary Accounting                              Significant Deficiency           Management Letter\n\nInformation Technology                            Significant Deficiency          Significant Deficiency\n\nUSIBWC\xe2\x80\x99s Response to Findings\n\nUSIBWC management has provided its response to our findings in a separate memorandum\nattached to this report. We did not audit management\xe2\x80\x99s response, and accordingly, we express\nno opinion on it.\n\nPurpose of This Report\n\nThe purpose of this report is solely to describe the scope of our testing of internal control over\nfinancial reporting and the results of that testing and not to provide an opinion on the\neffectiveness of USIBWC\xe2\x80\x99s internal control. This report is an integral part of an audit performed\nin accordance with auditing standards generally accepted in the United States of America,\n\n\n2\n Independent Auditor\xe2\x80\x99s Report on the International Boundary and Water Commission, United States and Mexico,\nU.S. Section, 2012 Financial Statements (AUD-FM-13-10, Dec. 2012).\n\n\n                                                      4\n\x0cGovernment Auditing Standards, and OMB Bulletin No. 14-02 in considering the entity\xe2\x80\x99s\ninternal control over financial reporting. Accordingly, this report is not suitable for any other\npurpose.\n\n\n\n\nAlexandria, Virginia\nDecember 20, 2013\n\n\n\n\n                                                 5\n\x0c                                                        1701 Duke Street, Suite 500, Alexandria, VA 22314\n                                                        PH: 703.931.5600, FX: 703.931.3655, www.kearneyco.com\n\n\n   INDEPENDENT AUDITOR\xe2\x80\x99S REPORT ON COMPLIANCE WITH APPLICABLE\n         PROVISIONS OF LAWS, REGULATIONS, AND CONTRACTS\n\nTo the United States Commissioner and the Inspector General of the International Boundary and\nWater Commission, United States and Mexico, U.S. Section\n\nWe have audited the consolidated financial statements of the International Boundary and Water\nCommission, United States and Mexico, U.S. Section (USIBWC) as of and for the year ended\nSeptember 30, 2013, and have issued our report thereon dated December 20, 2013. We\nconducted our audit in accordance with auditing standards generally accepted in the United\nStates of America; the standards applicable to financial audits contained in Government Auditing\nStandards, issued by the Comptroller General of the United States; and Office of Management\nand Budget (OMB) Bulletin No. 14-02, Audit Requirements for Federal Financial Statements.\n\nCompliance\n\nAs part of obtaining reasonable assurance about whether USIBWC\xe2\x80\x99s consolidated financial\nstatements are free from material misstatement, we performed tests of its compliance with certain\nprovisions of laws, regulations, and contracts, noncompliance with which could have a direct and\nmaterial impact on the determination of financial statement amounts, and certain provisions of\nother laws and regulations specified in OMB Bulletin No. 14-02, that we determined were\napplicable. We limited our tests of compliance to these provisions and did not test compliance\nwith all laws, regulations, and contracts applicable to USIBWC. However, providing an opinion\non compliance with those provisions was not an objective of our audit, and accordingly, we do\nnot express such an opinion. The results of our tests disclosed no instances of noncompliance\nthat are required to be reported under Government Auditing Standards or OMB Bulletin No. 14-\n02.\n\nPurpose of This Report\n\nThe purpose of this report is solely to describe the scope of our testing of compliance and the\nresults of that testing and not to provide an opinion on the effectiveness of USIBWC\xe2\x80\x99s\ncompliance. This report is an integral part of an audit performed in accordance with auditing\nstandards generally accepted in the United States of America, Government Auditing Standards,\nand OMB Bulletin No. 14-02 in considering USIBWC\xe2\x80\x99s compliance. Accordingly, this report is\nnot suitable for any other purpose.\n\n\n\n\nAlexandria, Virginia\nDecember 20, 2013\n\n\n                                               1\n\x0c                              INTERNATIONAL BOUNDARY AND WATER COMMISSION\n                                        UNITED STATES AND MEXICO\n\nOfflCE OF THE COMM IS5JONER                        December 23, 2013\n  UNITED STATESSECfiON\n\n\n\n      Mr. Harold W. Geisel\n      United States Department of State\n      Deputy Inspector General\n      Office oflnspector General\n      Washington, D. C. 20520\n\n      Subject: Independent Auditor's Report to the audit of the United States Commissioner and the\n      Inspector General of the International Boundary and Water Commission, United States and Mexico,\n      U.S. Section\n\n      Dear Mr. Geisel:\n\n      We received and have reviewed the draft Independent Auditor's Report of the United States Section,\n      International Boundary and Water Commission (IBWC), 2013 and 2012 financial statements. Thank\n      you for the opportunity to comment on your audit recommendations.\n\n      Attached please find our responses to each of the recommendations as reported in the draft\n      Independent Auditor's Report. Please advise if you have any questions or if we may be of any\n      assistance.\n\n\n\n\n                                                      Edward Drusina, P.E.\n                                                      Commissioner\n\n\n\n\n                  The Commons, Building C, Suite 100 \xe2\x80\xa2 4171 N. Mesa Street \xe2\x80\xa2 El Paso, Texas 79902-1441\n                            (915) 832-4100 \xe2\x80\xa2 Fax: (915} 832-4190 \xe2\x80\xa2 http:/ jwww.ibwc.gov\n\n\n\n\n                                                           1\n\x0c        Independent Auditor's Report on Internal Control over Financial Reporting\n\nSignificant Deficiencies\n\nI. Property and Equipment\n\nRecording Construction-in-Progress Transactions - Construction costs should be recorded as\nconstruction-in-progress (CIP) until the asset being constructed is placed in service, at which time the\nbalance should be transferred to a general property and equipment account. We found that 9 of26\noperating expenses tested were construction costs that should have been classified as CIP. After we\nidentified these errors, US IBWC performed an analysis of operating expense activity and identified a\nnumber of additional instances in which C!P was improperly classified as operating expenses.\nAdditionally, we identified a CIP project with a negative balance, which required a manual adjusting\nentry. As a result of audit work and USIBWC management' s analysis, more than $ 15.9 million in\noperating expenses were reclassified as ClP during FY 2013. Because USIBWC does not always\nprocess payments to construction vendors using system codes that will automatically record payments\nas CIP, USIBWC had implemented a process to manually review transactions recorded to CIP and\noperating expenses each quarter to identify and correct items that were not recorded correctly.\nHowever, because of the manual nature and timing of this review, not all transactions that were\nimproperly recorded had been identified by the time of our audit. Due to the size of several active\nUSIBWC CIP projects, significant amounts may be misclassified and not detected.\n\nResponse: Concur\nThe USIBWC Accounting Officer will work with the Department of State management officials\nresponsible for the GFMS system to see if the posting logic for recording CIP transactions can be\nmodified to require the project code for construction projects. Until the issue with the posting logic can\nbe resolved, the USIBWC will review construction-in-progress and operating expense transactions\nprior to posting to ensure the transactions are posted with a project code.\n\nIf the requested modification to the GFMS posting logic cannot be implemented, USIBWC will\nensure project codes are assigned for each capital project when the contract award and obligation are\nrecorded and ensure all capital project payments are processed against the correct project code.\nQuarterly, the usmwc will review the construction-in-progress projects and ensure the balances are\nappropriate as well as continue to review posted transactions to ensure they are recorded correctly.\n\n\nDepreciation Expense Errors- Depreciation expense should be calculated through the systematic and\nrational allocation of the cost of property and equipment, less its estimated salvage or residual value,\nover the estimated useful life of an asset. During our review of depreciation expense, we identified\nunusual account activity, which USIBWC officials confirmed was erroneous. During FY 20 13,\nUS IBWC transferred property account balances between two appropriations. When the transfer was\nprocessed, the Global Financial Management System (GFMS) treated the assets as newly acquired, and\ndepreciation expense was recorded back to the date that the assets were placed into service. However,\nthe system had already recorded depreciation expense for the assets, which was not reversed when the\nassets were transferred. The error resulted in a $7.3 million overstatement of expenses. Because\nUSIBWC does not routinely transfer assets between appropriations, USIBWC officials were unaware\nof how GFMS would process the adjustment. Although USIBWC had a control in place to review and\nanalyze account balances at the financial statement level, the control was not designed to identify and\n\n\n\n\n                                                     2\n\x0c     resolve errors in individual accounts, such as depreciation expenses. Without effective routine account-\n     level reviews, errors, anomalies, or unexpected account fluctuations may go unidentified.\n\n     Response: Concur\n     The transfer of assets from the S&E appropriation to the Construction appropriation was a nonrecurring,\n     one-time event and USLBWC does not foresee doing this in the future except to correct an error. Going\n     forward, all PP&E transactions will be funded by the Construction appropriation and there should be no\n     need to make such a transfer in the future. In the event that such a transfer ofPP&E is necessary,\n     rBWC is now aware of the effect the transfer will have on depreciation and will make the necessary\n     correcting entries to bring the depreciation expense back to the correct balance. USIBWC will conduct\n     a review of all accounts involved prior to and after the transfer.\n\n     Additionally, USIBWC will conduct analytical reviews at the individual account level, in addition to\n     the financial statement level, to identify errors in account balances that may not otherwise be identified.\n\n\n     II. Information Technology\n\n     Information Security Program - The Department' s OIG performed an audit of the Department' s\n     information security program for FY 2013 in accordance with the Federal Information Security\n     Management Act of2002 (FISMA). OJG identified numerous weaknesses in the Department's\n     information security program, which, in aggregate, was reported as a FISMA significant deficiency.\n     OIG reported weaknesses in the areas of [Redacted] (b) (5)                           plans of action\n     and milestones, and the continuous monitoring program. [Redacted] (b) (5)\n[Redacted] (b) (5)\n\n\n\n\n     Audit Logs for Financial Applications - During the audit of the Department's FY 2012 financial\n     statements, we performed risk-based testing procedures of the Department' s financial applications. We\n     identified deficiencies for GFMS, which is used by USIBWC as its core accounting system.\n     Specifically, the Department did not regularly review audit logs for suspicious behavior or malfunctions.\n     For example, the Department did not have an effective process to log and independently monitor changes to\n     the permissions granted to user accounts. In FY 2013, the Department took steps to remediate this\n     condition. However, the Department had not completed several steps to effectively implement application\n     monitoring controls. By not reviewing the audit logs on a regular basis, the Department does not have\n     reasonable assurance that inappropriate access or changes to user accounts would be identified in a timely\n     manner.\n\n     Response: Concur\n     The USIBWC will work with management officials from the Department of State over the general\n     support system and financial applications to work closely in implementing compensating controls as\n     recommended under this finding, [Redacted] (b) (5)\n     changes to user accounts in a timely manner.\n\n\n\n\n                                                         3\n\x0c"